CVE-2026-48190
Analyzed Analyzed - Analysis Complete
Incorrect Permission Handling in OTRS External Interface

Publication date: 2026-06-01

Last updated on: 2026-06-15

Assigner: OTRS AG

Description
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-15
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-48190
EUVD
EUVD-2026-33550
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
otrs otrs From 7.0.0 (inc) to 8.0.37 (inc)
otrs otrs From 2023.0.0 (inc) to 2026.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is caused by incorrect handling of permissions in the OTRS External Interface and the ConfigItem List module. It allows an authenticated customer to query the system for Configuration Item (CI) information. For this vulnerability to be exploitable, the Configuration Management Database (CMDB) must be enabled and CustomerGroupSupport must be used.

Impact Analysis

The impact of this vulnerability is that an authenticated customer could gain unauthorized access to CI information within the system. This could lead to information disclosure, potentially exposing sensitive configuration details that should be restricted.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves incorrect handling of permissions in the OTRS External Interface and ConfigItem List module, allowing authenticated customers to query CI information when CMDB and CustomerGroupSupport are enabled.

No specific detection commands or network/system scanning methods are provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, update OTRS to version 2026.4.1 or later, where the issue has been patched.

Note that no patches will be provided for OTRS 7, so users of that version should consider upgrading to a supported version.

Immediate mitigation involves disabling the CMDB feature or CustomerGroupSupport if possible, to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart